"I wanted to let you know that I don't think that Edmodo'sstatement that districts can opt-in to full SSL is correct. I'm basing myanalysis on information posted on their website. It appears to be truethat schools can configure their own internal networks to forceedmodo sessions to be fully served with SSL. However the directionsEdmodo has posted for "how to use edmodo with https" when not on aschool's private network still expose the sessions to hijacking. Thedirections they've posted for admin accounts would expose the admin accountsession to hijacking according to my analysis too. ..."

"Bottom line is I think they are giving users a false sense ofsecurity by implying this is a secure method of connection when in fact it isexposing them to the risk of having sessions hijacked. It also makestheir claim that since 2011 any school that chooses can opt-in to SSL at best ahalf-truth. And, the half that is true is not the area of concern as the schoolnetwork is restricted access and ought to be well secured with WPA2. Alsoalong with the problem of exposing the session cookie at each login, I thinkit's questionable to describe a method where every user must remember to dothis every time as something that a district can 'opt in' for."

While I hate to condemn Edmodo, which I believe offers a valuable service, Mr. Porterfield's reasoning seems sound to me. I hope we'll see Edmodo make a serious effort at improving security with the update promised for July.

In a follow up phone call, Edmodo CEO Crystal Hutter emphasized that the service was "built with the privacy and security of students in mind" and added that "we collect very little personally identifiable info about students." Edmodo serves, in part, as a safe social platform where students interact with their teachers, not random strangers.

She said the data center and networking expense associated with supporting full SSL are not what have been holding the company back. The only issue has been the older PCs and browsers still in place at many schools, she said. Edmodo had already decided the time had come to switch to full session SSL prior to the Times story and was already working with schools to prepare for the switch, she said.

They simply need to disable http access to their site and only allow https connections. Then, it would not matter where the source request comes from. A dam only works if it doesn't have pinholes in it.Yet another wrinkle to this story is - how about encryption of the data "at rest"? It's one thing to SSL encrypt the communications channel. It is quite another to take the next logical step and encrypt the actual stored data - in case of a Datacenter breach.

According to Edmodo, a school district need not establish an administrative subdomain on the service to enable SSL: "A school or district can ensure that ALL users are accessing Edmodo through SSL when they are on the school or districts network by automatically redirecting www.edmodo.com to https://www.edmodo.com. This does not require that the school have a formal relationship with Edmodo or have a subdomain."

That's an interesting distinction, but I'm not sure it's reassuring. What they seem to be saying is that network administrators can build in a redirect to make sure all traffic to the Edmodo domain would go to the https address. However, that would only work when the teacher accesses the service from on school premises. If they were logging in from home or a coffee shop (where the risk would be greater to begin with), that redirection wouldn't kick in. I suspect after hours is when teachers have more time to log into the application.

Edmodo provides a valuable service, appreciated by teachers across the world, so the good news is they are promising to close this loophole soon.

In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.

Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.

At its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.